Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:76568 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 90091 invoked from network); 15 Aug 2014 19:18:53 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 15 Aug 2014 19:18:53 -0000 Authentication-Results: pb1.pair.com header.from=jakub.php@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=jakub.php@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.178 as permitted sender) X-PHP-List-Original-Sender: jakub.php@gmail.com X-Host-Fingerprint: 209.85.213.178 mail-ig0-f178.google.com Received: from [209.85.213.178] ([209.85.213.178:53278] helo=mail-ig0-f178.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 1F/CB-48767-A1D5EE35 for ; Fri, 15 Aug 2014 15:18:51 -0400 Received: by mail-ig0-f178.google.com with SMTP id uq10so2708435igb.5 for ; Fri, 15 Aug 2014 12:18:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=Hhypjyfmf9dOLUDmBxdbxhcuLviduKM6dTbmUjn80xw=; b=qxphBPZy2b8394RuHT4XhSDPwDYlFrBsxCHPsI5pJdFcHmu7ZCYfJy+bY7CXbtggwZ PDYH6JM1xvKEryN81e/DkfwJQ4Vz01ygBesxR4bLodtJ2ecPAUtzuOOTYj6C7hA+5BWR 0bQxtuTK944fDa8Ay8rBkze5yqOK/0FxIHMNtWmu3ACVSlGJu7aYiOMh+umMZjh36rmw pb961EaRZ6z/bBfeeCu+diD9sl8Dp2tbGZ4MrwXq2OLJIrfUmdzyIFxNW+0b/EigrtH7 tD5NO6IWlGsdYKDc/mtA/zN9wtvg0LjUpIPegwmijHbkSDm2gqWvVSE3VUHI/RfWY3H5 tp8w== MIME-Version: 1.0 X-Received: by 10.42.60.211 with SMTP id r19mr3262038ich.64.1408130328195; Fri, 15 Aug 2014 12:18:48 -0700 (PDT) Sender: jakub.php@gmail.com Received: by 10.107.135.106 with HTTP; Fri, 15 Aug 2014 12:18:48 -0700 (PDT) In-Reply-To: <53EE589F.7030109@sugarcrm.com> References: <53EA93F0.8090104@sugarcrm.com> <53ED6027.3000704@sugarcrm.com> <53EE589F.7030109@sugarcrm.com> Date: Fri, 15 Aug 2014 20:18:48 +0100 X-Google-Sender-Auth: sPcktMs42Roa-lhGDY9jENK8ACE Message-ID: To: Stas Malyshev Cc: Pierre Joye , PHP Internals Content-Type: multipart/alternative; boundary=90e6ba6e89b80279000500afe4e9 Subject: Re: [PHP-DEV] Re: glob() bug 47358 From: bukka@php.net (Jakub Zelenka) --90e6ba6e89b80279000500afe4e9 Content-Type: text/plain; charset=UTF-8 Hi, On Fri, Aug 15, 2014 at 7:59 PM, Stas Malyshev wrote: > Hi! > > > The source of the problem is that the open_basedir will always leek > > information about dirs that the user is not suppose to see (out of the > > open_basedir restriction). The reason is that false value can indicate > > that (more info in the PR or https://bugs.php.net/bug.php?id=65489 ). > > However not sure if it's so big issue as no one should ever use > > open_basedir in security context anyway... :) > > The biggest problem with glob() was not security but the fact that it > returned false on non-existing files when open_basedir is set, even when > everything is inside open_basedir context. Ideally, glob() should return > the same with and without open_basedir, with added restriction that if > open_basedir disallows access to some dir/file, then this dir/file does > not exist for the purposes of glob(). I'm not sure though if glob() does > that right now completely or how hard it would be to fix it, I didn't > look into it deeper. I just noticed that a very old bug was not fixed in > 5.4/5.5 by mistake, and this bug makes usage of glob with open_basedir > very annoying, as you can not use glob() in foreach() anymore. > The Pierre's commit is fine. It fixes the problem that you just described. So well done for backporting it... ;) However the second commit from Anatol is unrelated to the Pierre's and doesn't really fix anything. It was probably forgotten there when we all forgot about that problem... :) Anyway there are probably more important things than securing open_basedir that is not secure anyway :) Cheers Jakub --90e6ba6e89b80279000500afe4e9--